CU / AIT / COMPUTER SCIENCE AND ENGINEERING / 6/ 22CSH-394

APEX INSTITUTE OF TECHNOLOGY

(AIT)

Department of Computer Science and Engineering

B.E. – Computer Science and Engineering

SEMESTER : 6th

SUBJECT NAME : Identity & Access Management

SUBJECT CODE : 22CSH-394

FACULTY : Dr. Gurpreet Singh Panesar

 Contents of Course File

Sr.
Particular Page No.
No.
1 University-Vision and Mission 2
3 PEO 3
4 PSO 3
5 PO 4
6 Academic Calendar 5-6
7 Course Objectives 7
8 Course Outcomes 7
9 List of Experiments (Mapped with Cos) 15-16
10 Mapping of COs/POs/PSOs
11 Lecture Plan
12 List of Students
Experiment 1…10
Aim
Objective
Input/Apparatus Used
13
Procedure/Algorithm/Code
Observations/Outcome
Discussion
Question: Viva Voce

1
 Vision of the University
“To be recognized as a centre of excellence for Computer Science &
Engineering education and research, through effective teaching practices,
hands-on training on cutting edge computing technologies and excellence
in innovation, for creating globally aware competent professionals with
strong work ethics whom would be proficient in implementing modern
technology solutions and shall have entrepreneurial zeal to solve
problems of organizations and society at large.”

Mission of the University

M1: To provide relevant, rigorous and contemporary curriculum and
aligned assessment system to ensure effective learning outcomes for
engineering technologies.
M2: To provide platform for industry engagement aimed at providing
hands-on training on advanced technological and business skills to our
students.
M3: To provide opportunities for collaborative, interdisciplinary and
cutting-edge research aimed at developing solutions to real life problems
M4: To imbibe quest for innovation, continuous learning and zeal to pursue
excellence through hard work and problem-solving approach
M5: To foster skills of leadership, management, communication, team
spirit and strong professional ethics in all academic and societal endeavors
of our students

2
Programme Educational Objectives, Programme Specific Outcomes and Programme Outcomes

3
4
ACADEMIC CALENDER

5
6
 COURSE OBJECTIVES

The Course aims to:

1. The course will focus on the foundational concepts of Identity and Access Management (IAM),
including identity management, access control, and authentication mechanisms.
2. Students will explore directory services like LDAP and techniques for secure user role management
and directory-based access control.
3. The course will cover authentication methods such as Kerberos, Single Sign-On (SSO), and multi-
factor authentication for enhancing security.
4. Auditing, reporting strategies, and compliance measures will be taught to ensure effective monitoring
and security of IAM systems.
5. Students will learn to design and implement IAM solutions using Privileged Identity Management
(PIM) and Identity-as-a-Service (IDaaS) for enterprise environments.

Course Outcomes (COs)

Upon successful completion of this course, learners will be able to:

CO1 Understand the fundamental concepts of Identity and Access Management (IAM), including its
components, strategies, and integration for enterprise solutions.
CO2 Apply the LDAP architecture to manage directories, track user roles, and ensure secure directory-
based user management.

CO3 Evaluate authentication mechanisms such as Kerberos, Single Sign-On (SSO), and Federated
Identity Management to enhance security in enterprise systems.

CO4 Analyze multi-factor authentication techniques, including OTP, TOTP, and HOTP, and implement
effective auditing and reporting strategies for compliance.

CO5 Design and implement IAM solutions using Privileged Identity Management (PIM), Identity-as-a-
Service (IDaaS), and ensure adherence to corporate security policies

7
 Course Name: Identity & Access Management 22CSH-
394

S Course Course L T P C C Cou Co

N Code: Name: H rse ur
Identity & Cat se
22CSH-394 Access egor Ty
Management y pe

1 Course 3 0 4 3 PC* Hybrid

Coordinator:
Dr. Gurpreet
Singh
Panesar

Pre-Requisites: Basic knowledge of networking,

operating systems, and
cybersecurity fundamentals,Basics
of AWS.

Co-Requisite Nil

Anti-Requisite Nil

COURSE OBJECTIVES

The Course aims to:

1. The course will focus on the foundational concepts of Identity and Access Management (IAM),
including identity management, access control, and authentication mechanisms.
2. Students will explore directory services like LDAP and techniques for secure user role management
and directory-based access control.
3. The course will cover authentication methods such as Kerberos, Single Sign-On (SSO), and multi-
factor authentication for enhancing security.
4. Auditing, reporting strategies, and compliance measures will be taught to ensure effective monitoring
and security of IAM systems.
5. Students will learn to design and implement IAM solutions using Privileged Identity Management
(PIM) and Identity-as-a-Service (IDaaS) for enterprise environments.

8
Course Outcomes (COs)

Upon successful completion of this course, learners will be able to:

CO1 Understand the fundamental concepts of Identity and Access Management (IAM), including its
components, strategies, and integration for enterprise solutions.
CO2 Apply the LDAP architecture to manage directories, track user roles, and ensure secure directory-
based user management.

CO3 Evaluate authentication mechanisms such as Kerberos, Single Sign-On (SSO), and Federated
Identity Management to enhance security in enterprise systems.

CO4 Analyze multi-factor authentication techniques, including OTP, TOTP, and HOTP, and implement
effective auditing and reporting strategies for compliance.

CO5 Design and implement IAM solutions using Privileged Identity Management (PIM), Identity-as-a-
Service (IDaaS), and ensure adherence to corporate security policies

9
 Stud Level of
ent Learning
CO Perfor Targe
Statement Outco (Highest
mance t
No Indica me BT Level) Attainm
tor Indic ent
ator
(ABE
T)
Understan
CO1 1.2, 1.3 SO1 2 2.1
d the (Understan
fundamen d)
tal
concepts
of Identity
and
Access
Managem
ent
(IAM),
including
its
componen
ts,
strategies,
and
integratio
n for
enterprise
solutions.
Apply the
CO2 1.2, 3.1, 5.1 SO2, SO4 3 (Apply) 2.1
LDAP
architectu
re to
manage
directorie
s, track

10
 user roles,
and
ensure
secure
directory-
based
user
managem
ent.
Evaluate
CO3 4.2, 5.1 SO3, SO5 3 (Apply) 2.1
authentica
tion
mechanis
ms such
as
Kerberos,
Single
Sign-On
(SSO),
and
Federated
Identity
Managem
ent to
enhance
security in
enterprise
systems.
Analyze
CO4 3.1, 5.1 SO3, SO5 4 2.1
multi- (Analyze)
factor
authentica
tion
technique
s,
including
OTP,
TOTP,

11
 and
HOTP,
and
implemen
t effective
auditing
and
reporting
strategies
for
complianc
e.
Design
CO5 5.1, 5.2 SO5, SO6 4 2.1
and (Analyze)
implemen
t IAM
solutions
using
Privileged
Identity
Managem
ent (PIM),
Identity-
as-a-
Service
(IDaaS),
and
ensure
adherence
to
corporate
security
policies

12
 SYLLABUS:

Unit-1 Contact Hours:12 Hours

INTRODUCTION TO IAM Identity Management (IdM);Access Management (AM); Five

Elements of Security; Key concepts of Identity and Access
Management; Uniting Identity and Access Management

IAM FOR AN Business Challenge; IAM Strategy Framework; Identity

ENTERPRISE Management Drivers; Cost of IAM Over Time; Business Drivers of
IAM

INTRODUCTION TO Directories; LDAP: Protocol or Directory; LDAP History and

LDAP Standards; Directory Components

LDAP CONCEPTS & Overview of LDAP Architecture; The Informational Model; THE
ARCHITECTURE NAMING MODEL; Functional Model; Security model; Directory
security

SINGLE SIGN-ON Introduction; Types of Single Sign-On; Single sign-on Protocols

TECHNIQUES

ACCESS CONTROL Discretionary Access Control (DAC); Mandatory Access Control

(MAC); Role Based Access Control (RBAC); Attribute-based
access control (ABAC); Static Separation of Duty (SSoD);
Dynamic Separation of Duty (DSoD); Fine grained and coarse-
grained access control

PASSWORD The Challenges of Password Management; Single Password v/s

MANAGEMENT Multiple Passwords;Considerations for Using Different Passwords
For Different Applications; Good Password Management Policies
& User; System Security Features

Unit-2 Contact Hours:12 Hours

13
 INTRODUCTION TO Kerberos and SPNEGO; Federated Identity Management
FEDERATION Architecture; Security Assertion Markup Language;OAuth 2.0
concepts; OpenID Connect federations

ORIGIN OF MULTI Multi-factor authentication versus multi-step authentication; Multi-

FACTOR factor authentication methods; Time-basedone-time password;
AUTHENTICATION HOTP vs TOTP: What's the Difference?

AUDITING & REPORTING Auditing; The Role of Internal Auditors; Reporting Audit Results;
Protecting Audit Results; Using ExternalAuditors

Unit-3 Contact Hours:12 Hours

INTRODUCTION TO Identity Manager; Centralized User Management; Simplify User

IDENTITY MANAGER Management; Lifecycle Management; AccessControl Models of
Identity Manager; Corporate Regulatory Compliance Using Identity
Management; TheApproach: Integrated IAM Governance with
Intelligence and Accountability

PRIVILEGED IDENTITY Privileged IDs and why they are a problem; Privileged Identity
MANAGER Manager; Introducing IDaaS

List of Practical Experiments :

UNIT-1 Contact Hours 15 Course

Outcome

EXPERIMENT 1 Installation of IBM Security Identity Manager (ISIM) in CO1

VMware Workstation Player.

EXPERIMENT 2 Instance Creation in IBM Security Directory Server(SDS). CO2

EXPERIMENT 3 Start and Stop IBM Security Directory Server(SDS) CO2

instances.

EXPERIMENT 4 Import LDAP Data Interchange Format (LDIF) using CO2

14
 Command Line.

EXPERIMENT 5 Configuring & Logging in to IBM Security Identity CO1

Manager Administrative Console.

EXPERIMENT 6 Creating the organization tree in to IBM Security Identity CO1

Manager Administrative Console.

EXPERIMENT 7 Creating users in to IBM Security Identity Manager CO2

Administrative Console.

EXPERIMENT 8 Creating a password policy in to IBM Security Identity CO4

Manager Administrative Console.

EXPERIMENT 9 Creating a Linux Service in to IBM Security Identity CO3

Manager Administrative Console.

EXPERIMENT 10 Creating an LDAP service in to IBM Security Identity CO5

Manager Administrative Console.

15
16
 EXPERIMENT 1

MAPPED COURSE OUTCOMES - Understand the fundamental concepts of Identity

and Access Management (IAM), including its components, strategies, and integration for
enterprise solutions.(CO1)

AIM: Installation of IBM Security Identity Manager (ISIM) in VMware Workstation

Player.

OBJECTIVE : The objective of this experiment is to install and configure IBM Security
Identity Manager (ISIM) in VMware Workstation Player while understanding its
prerequisites, architecture, and deployment process. It also aims to provide hands-on
experience in setting up a virtual environment for enterprise applications and developing
troubleshooting skills for installation and configuration challenges.

STEPS OF PROCEDURE :
1 Introduction to IBM Security Directory Server 6.4.0.20 exercises
The purpose of this lab is to demonstrate the basic features of the IBM Security Directory
Server(SDS) and setup replication between two SDS servers.

This lab will consist of the following activities.

1. Create 2 IBM SDS instances

2. Import the sample data using LDIF.
3. Configure Master – Master replication within IBM Security Directory Servers.

The following lab environment has been configured:

1. Operating System – CentOS 7.7 installed on a VMware Workstation VM.

2. IBM Security Directory Server – version 6.4.0.20 x64 Linux. IBM Security
Directory Server 6.4.0.20 includes the following middleware:

• DB2® Universal Database version 11.1.4 Enterprise Server Edition (DB2) with FixPack
5
• Global Security Kit (GSKit) Version 8.0.50
• IBM Websphere ND 9.0.1
You have worked on LDAP in above exercises for ISIM. We will learn more things about
IBM Security Directory Server(SDS) in below exercises
Installation Paths :

1. SDS - /opt/ibm/ldap/V6.4/
2. DB2 - /opt/ibm/db2/V11.1/
3. WAS - /opt/IBM/WebSphere/AppServer/

17
Learning Outcomes:
1.Successfully install and configure IBM Security Identity Manager on VMware
Workstation Player.
2.Demonstrate the ability to set up a virtual environment for enterprise application
deployment.
3.Understand the architecture and components of ISIM and its role in identity
management.
4.Acquire skills to troubleshoot common issues during installation and
configuration.
5.Develop a foundational understanding of enterprise-level identity and access
management solutions
Viva Questions:
1. What is the primary function of IBM Security Identity Manager (ISIM)?
2. Why is VMware Workstation Player used for ISIM installation?
3. What are the key prerequisites for installing ISIM in a virtual environment?
4. Explain the importance of identity and access management in enterprise
security.
5. What challenges might arise during ISIM installation, and how can they be
resolved?

18
 EXPERIMENT 2

MAPPED COURSE OUTCOMES - Apply the LDAP architecture to manage directories,

track user roles, and ensure secure directory-based user management.(CO2)

AIM: Instance Creation in IBM Security Directory Server(SDS).

OBJECTIVE : In this experiment, you will learn how to create an instance in IBM
Security Directory Server (SDS), which involves configuring the server settings, defining
directory structures, and setting up appropriate administrative access. The process includes
utilizing command-line tools to ensure a properly initialized environment for directory
management and secure access.

STEPS OF PROCEDURE :

Instance Creation
SDS version 6.4.0.20 allows for multiple directory server instances to
be run per machine. In this lab 2 instances will be used on a single VM.
The instances are to be created. The instances to be created are:
• idsldap1 – This instance will run on port 1389 (At places this
instance is also referred to as Primary
Server in this document)
• idsldap2 – This instance will run on port 2389 (At places
this instance is also referred to as
Secondary Server in this document)

For ISIM, we have already created on instance by default while

installing ISIM, you can check the instance details using the below
command in terminal:
/opt/ibm/ldap/V6.4/sbin/idsilist -a

19
You can observe ISIM SDS instance uses the port 389 which is default
LDAP port. Create the two new instances using below steps :

1. Open Terminal from Desktop and navigate to the SDS folder as

below
cd /opt/ibm/ldap/V6.4/sbin/

2. Create two new users idsldap1 and idsldap2 as the owner of two
new instances using :
./idsadduser -u idsldap1 -w P@ssw0rd -l /home/idsldap1 -g idsldap -n

You can check the user is created successfully

3. Similarly, add the second user idsldap2

./idsadduser -u idsldap2 -w P@ssw0rd -l /home/idsldap2 -g idsldap -n

4. Create the instance for the idsldap1 user using idsicrt command as below :
./idsicrt -I idsldap1 -e encryptionseed -l /home/idsldap1 -n

5. Similarly, create the instance for the idsldap2 user using idsicrt
command as below :
./idsicrt -I idsldap2 -e encryptionseed -l /home/idsldap2 -n

6. Now you can check the instance details using the below
command in terminal and check the new instance idsldap1 and
idsldap2 created:
/opt/ibm/ldap/V6.4/sbin/idsilist -

20
The database idsldap1 is created in the idsldap1 DB2 instance after
this command and all the SDS default tables are loaded into this
database.

8.Similarly, configure database for the second instance idsldap2 with

below command
./idscfgdb -I idsldap2 -w P@ssw0rd -a idsldap2 -t idsldap2 -l
/home/idsldap2 -n

21
9. Minimize the Terminal window, Double-click the Home icon from
Desktop. Click Other Locations in the left pane double-click Computer
and then home and you can see the below 2 folders. The idsldap1 and
idsldap2 are the SDS instance owner home directories.

10. Double-click idsldap1 directory and you can see idsslapd-

idsldap1 folder which have all instance related configurations and log
files.

11. Minimize the Files window and go back to Terminal window.

Create admin user (cn=root) who can be used to do the administrative
task on the ldap instances.
12. Similarly, for idsldap2 instance create the admin user cn=root as
below:
./idsdnpw -I idsldap2 -u cn=root -p P@ssw0rd -n
The user is successfully created. We will use this user to connect to the
ldap and perform admin tasks.

13, Close Terminal.

Learning Outcomes:

1. Understand the concept of directory instances in SDS.

2. Gain hands-on experience in instance creation and configuration.
3. Learn to configure administrative access and secure the instance.
4. Understand the role of instances in server management.
5. Be able to troubleshoot common issues during the instance creation process.

Viva Questions:

1. What are the key steps involved in creating an instance in IBM SDS?
2. What configurations are necessary when creating an instance?
3. What is the purpose of defining administrative access during instance creation?
4. How do you ensure the security of the instance after creation?
5. What tools are used to verify the successful creation of an instance?

22
 EXPERIMENT 3

MAPPED COURSE OUTCOMES Apply the LDAP architecture to manage directories,

track user roles, and ensure secure directory-based user management.(CO2)

AIM: Start and Stop IBM Security Directory Server(SDS) instances.

OBJECTIVE : This experiment focuses on learning how to start and stop IBM Security
Directory Server (SDS) instances. Mastering these operations is crucial to maintain system
stability, resource management, and secure access to the directory services.

STEPS OF PROCEDURE :
1.1 Start and Stop IBM SDS instances
To start and stop IBM SDS instances follow below steps:

1. Open Terminal from Desktop.

2. Start the newly created SDS instance idsldap1 using below command:
/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap1 -n -t
You can see the server is started.

3. Similary, start the idsldap2 instance using :

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap2 -n -t

4. To stop the instance idsldap1 enter the below command :

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap1 -k

5. Similarly, to stop the idsldap2 instance enter below command:

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap2 -k

6. Start both the instances again :

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap1 -n -t
After startup is completed
/opt/ibm/ldap/V6.4/sbin/ibmslapd -I idsldap2 -n -t

Learning Outcomes:
1. Understand the importance of properly starting and stopping SDS
instances.
2. Gain proficiency in using commands to control SDS instance operations.
3. Learn to manage system resources effectively by controlling server
instances.
4. Ensure high availability by understanding the impact of stopping instances.
5. Be able to monitor the health and status of SDS instances.
23
Viva Questions:
1. Why is it important to properly start and stop SDS instances?
2. Which commands are used to start and stop an SDS instance?
3. What impact can starting or stopping an instance have on the directory
service?
4. How can you monitor the status of an SDS instance?
5. What precautions should be considered when stopping an SDS instance?

24
 EXPERIMENT 4

MAPPED COURSE OUTCOMES -Apply the LDAP architecture to manage directories,

track user roles, and ensure secure directory-based user management.(CO2)

AIM: Import LDAP Data Interchange Format (LDIF) using Command Line.

OBJECTIVE : In this experiment, you will learn to import LDAP data using the LDIF
format. The LDIF format is commonly used for transferring directory data between
servers. This task will ensure that you can efficiently import large volumes of directory
entries into SDS.

STEPS OF PROCEDURE :
1.1 Import LDIF
The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange
format for representing LDAP (Lightweight Directory Access Protocol) directory content
and update requests.

We will see the two ways of importing LDIF :

• Import LDIF using Command Line
• Import LDIF using LDAP Browser.

Import LDIF using Command Line in Terminal

1. We will import user data into the organization “o=jke” using LDIF file. Open
Terminal. Navigate to
/classfiles
cd /classfiles

2. Create the file User1.ldif in this folder. Use gedit to open

gedit User1.ldif

3. Copy or type the below ldif entries into the file:

25
1. Save the file and Close.

2. In the terminal enter the idsldapadd command as below for

idsldap1 :

/opt/ibm/ldap/V6.4/bin/idsldapadd -D cn=root -w P@ssw0rd -p

1389 -i
/classfiles/User1.ldif
You can see the output as below:

Note : Users are currently only added in

idsldap1 instance as we have hit the
command specifying the -p 1389 port which is
for idsldap1

Operation 0 adding new entry cn=joe, o=jke Operation 1 adding

new entry cn=carry, o=jke Two users are added successfully.
6. Verify if the users are added into the idsldap1 instance of
SDS using WAT. Open Firefox. Click Web Admin Tool bookmark.

7. Login to idsldap1 using cn=root/P@ssw0rd.

8. Click Manage Entries in Content Management section.

Click the plus (+) sign near o=jke and you can see two users joe
and carry are displayed.

26
9. You can click cn=joe and see some extra details. Click Cancel and then Close.
Click Logout in left pane.

10. Open the Terminal window and repeat the above step of idsldap2 using the port
2389. Enter the command as below

/opt/ibm/ldap/V6.4/bin/idsldapadd -D cn=root -w P@ssw0rd -p 2389 -i

/classfiles/User1.ldif
Import LDIF using LDAP Broswer

12. We will import user data into the organization “o=jke” using LDIF file. Open
Terminal. Navigate to
/classfiles
cd /classfiles
13. Create the file User2.ldif in this folder. Use gedit to open
gedit User2.ldif

14. Copy or type the below ldif entries into the file:

15. Open LDAP Browser by double-click on LDAP Browser of Desktop.

16. To add new connection of idsldap1 instance Click New.
17. Enter name : IDSLDAP1. Click the Connection tab. 18. Enter the details as below

27
19. Click Save. Select IDSLDAP1 and Click Connect. You will be able to see the entries in
the IDSLDAP1.
20. Click o=jke and in Menu Bar Click LDIF. Click Import.
21. Browse to /classfiles, click User2.ldif. Click OK.
Select Add Only.

28
29
Learning Outcomes:
1. Understand the structure and usage of LDIF files for data import.
2. Learn the steps required to import LDAP data from an LDIF file.
3. Ensure data integrity during the import process.
4. Gain experience with command-line tools for LDAP data import.
5. Be able to verify and troubleshoot the import process.

Viva Questions:
1. What is LDIF and how is it used in LDAP?
2. How does the command-line tool facilitate the import of LDIF data?
3. What are the key fields in an LDIF file?
4. What challenges might arise during the LDIF import process?
5. How do you validate the data after importing an LDIF fi

EXPERIMENT 5
30
 MAPPED COURSE OUTCOMES - Understand the fundamental concepts of Identity
and Access Management (IAM), including its components, strategies, and integration for
enterprise solutions.(CO1)

AIM:Configuring & Logging in to IBM Security Identity Manager Administrative

Console.

OBJECTIVE : This experiment will guide you in configuring and accessing the IBM
Security Identity Manager Administrative Console. You will learn the steps to set up the
console, manage user access, and navigate the interface for managing identity and security
services.

STEPS OF PROCEDURE :
System check-out and startup
Your classroom system has IBM® Security Identity Manager and the required middleware already
installed. In this exercise, you learn how to start the programs that IBM Security Identity Manager
requires to run and you confirm your system is operational.
Task 1. Checking network connectivity

1. Make sure that you are logged on as root using password P@ssw0rd on the computer isim.test.
2. Open a terminal window. Test the TCP/IP connectivity of the class machine by running the ping
command. Type control-c to stop the ping command.

ping isim.test

The Lab Setup Guide has detailed instructions on each step, plus the appendices contain additional useful
information about the VM environment.

Task 2. Starting required middleware

The classroom system has two scripts that simplify the start-up and shutdown of the required middleware
and IBM Security Identity Manager.

/ISIMScripts/startISIM.sh
/ISIMScripts/stopISIM.sh
To verify start-up script status, open the terminal and enter below command, open the terminal and enter
below command:
tail -f /ISIMScripts/isimstart.log
31
You will see “Web Administration tool for SDS Started”. All the middleware components are started and
ISIM is ready to use.

The startISIM.sh script starts :

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I isimldap -n

1) IBM DB2
. ~db2admin/sqllib/db2profile db2start

2) IBM Security Identity Manager

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/startServer.sh server1

3) IBM Security Directory Integrator (RMI Dispatcher)

/opt/IBM/TDI/V7.2/timsol/ITIMAd start

4) James Email Server

5) Web administration tool for IBM Security Directory Server.

/opt/IBM/WebSphere/AppServer/profiles/AppSrv02/bin/startServer.sh server1

Task 2. Logging in to IBM Security Identity Manager Administrative Console

In this task, you log in to the IBM Security Identity Manager Administrative Console. This console is
used for almost all the administrative tasks you do.

1. Open Firefox(Icon on the Desktop) and open https://isim.test:9443/itim/console/main

or Click the Bookmark

2. Log in with user ID itim manager and password P@ssw0rd

The IBM Security Identity Manager Administrative Console is presented.

32
Learning Outcomes:
1. Understand the initial setup process for IBM Security Identity Manager.
2. Learn the configuration steps needed to access the administrative console.
3. Gain practical knowledge on how to navigate the administrative console.
4. Troubleshoot common issues related to logging into the console.
5. Understand the importance of secure login procedures.

Viva Questions:
1. What is the purpose of the IBM Security Identity Manager Administrative
Console?
2. What configurations are required to set up the console?
3. How do you ensure secure login to the console?
4. What are the common troubleshooting steps when login fails?
5. How can you optimize the administrative console for better performance?

33
 EXPERIMENT 6

MAPPED COURSE OUTCOMES - Understand the fundamental concepts of Identity

and Access Management (IAM), including its components, strategies, and integration for
enterprise solutions.(CO1)

AIM:Creating the organization tree in to IBM Security Identity Manager

Administrative Console.

OBJECTIVE : In this exercise, you will learn how to create and structure the organization
tree in IBM Security Identity Manager. The organization tree helps manage users, roles,
and permissions by establishing a hierarchy based on the organization’s structure.

STEPS OF PROCEDURE :

2.1 Creating the organization tree

Your IBM Security Identity Manager setup defines only the JK Enterprises organization.
In the following exercises, you add organizational units for sales, finance, and
development. You also add locations under the sales organization for worldwide,
Americas, Europe, and Asia Pacific, and a business partner organization for support.

All of the subsequent exercises in this course build on the organization you design here. It
is important to use the names exactly as shown to ensure success in completing the rest of
the exercises.

Adding the organizational units

1. Log in to the IBM Security Identity Manager Administrative Console as the system
administrator with the user ID itim manager using password P@ssw0rd.

2. On the Home tab, you go to Manage Organization Structure.

3. Click the plus (+) sign to the left of the house icon to expand the selection. Click the
small triangle to the right of the organization JK Enterprises and click Create
Organizational Unit.

4. Complete the Organizational Unit form with the following information:

34
Adding a business partner unit

JKE outsourced its support operations to a company called TechSupport. Employees of

TechSupport require access to JKE resources. Therefore, you create a business partner
organization off the JK Enterprises branch.

1. Click the arrow to the right of JK Enterprises and click Create Business Partner Unit.

2. Complete the Business Partner Unit form with the following information:

35
Learning Outcomes:
1. Understand the concept of an organization tree and its significance.
2. Learn to create and organize users and resources effectively.
3. Gain hands-on experience in structuring the organization tree.
4. Explore how the organization tree helps with access control and resource
allocation.
5. Develop skills in managing complex directory structures.

Viva Questions:
1. What is an organization tree in the context of Identity Manager?
2. How does the organization tree affect the management of users and
resources?
3. What steps are required to create an organization tree in the console?
4. How does the organization tree support role-based access control?
5. Can you modify the organization tree after creation? If so, how?

36
 EXPERIMENT 7

MAPPED COURSE OUTCOMES - Apply the LDAP architecture to manage

directories, track user roles, and ensure secure directory-based user management.CO2

AIM: Creating users in to IBM Security Identity Manager Administrative Console.

OBJECTIVE : In this experiment, you will learn how to create user profiles in the IBM
Security Identity Manager Administrative Console. You will also understand how to assign
roles, permissions, and other attributes to ensure proper access control.

STEPS OF PROCEDURE :

2.1 Creating users

In this exercise, you manually add people (users) to IBM Security Identity Manager
through the web interface.

1. On the Home tab, click Manage Users.

2. Click Create to add the following Person entries to the JK Enterprises business unit,
select User Type Person and Click Continue:

37
Learning Outcomes:
1. Learn the process of creating users in the Identity Manager.
2. Understand how to assign roles, permissions, and attributes to users.
3. Gain hands-on experience in managing user access and security.
4. Learn how users are linked to the organization tree for role-based access.
5. Understand the security implications of user creation.
38
Viva Questions:
1. What is the process of creating a user in IBM Security Identity Manager?
2. Which user attributes are required during user creation?
3. How are users associated with the organization tree?
4. How do you assign roles and permissions to users?
5. What is the impact of user creation on system security?

39
 EXPERIMENT 8

MAPPED COURSE OUTCOMES -Analyze multi-factor authentication techniques,

including OTP, TOTP, and HOTP, and implement effective auditing and reporting
strategies for compliance.CO4

AIM: Creating a password policy in to IBM Security Identity Manager

Administrative Console.

OBJECTIVE : In this experiment, you will learn how to create a password policy within
the IBM Security Identity Manager. A password policy defines password requirements,
such as complexity, expiration, and history, to ensure secure authentication.

STEPS OF PROCEDURE :

In this, you create a password policy that requires passwords for the Linux Service to be at
least four characters long.

1. On the Home tab, navigate to Manage Policies > Manage Password Policies.

2. Create a new password policy with the following information.

Learning Outcomes:
1. Understand the importance of password policies in identity management.
2. Learn how to configure password policies for user accounts.
3. Understand how password policies enhance system security.
4. Gain the skills to apply policies across multiple users or groups.
5. Understand the consequences of password policy violations.
40
Viva Questions:
1. Why are password policies important in identity management?
2. What elements can be configured in a password policy?
3. How does a password policy improve organizational security?
4. How do you apply a password policy to a user or group?
5. What happens if a user violates the password policy?

41
 EXPERIMENT 9

MAPPED COURSE OUTCOMES - Evaluate authentication mechanisms such as

Kerberos, Single Sign-On (SSO), and Federated Identity Management to enhance security
in enterprise systems.CO3

AIM: Creating a Linux Service in to IBM Security Identity Manager Administrative

Console.

OBJECTIVE : This experiment will teach you how to create and manage Linux services
within the IBM Security Identity Manager. You will integrate Linux-based systems and
configure access controls for users interacting with these services.

STEPS OF PROCEDURE :
2.1 Creating a Linux Service

In this exercise, you create a service in IBM Security Identity Manager to manage accounts
and groups on a Linux system. You also create a default provisioning policy as part of the
service creation process.

1. Log in to the IBM Security Identity Manager Administrative Console as the system
administrator with the user ID itim manager.

2. On the Home tab, navigate to Manage Services.

3. Click Create.

4. Wait for the list of services to appear. Ensure that Business unit is set to JK
Enterprises.

5. Select POSIX Linux profile and click Next.

6. Use the information in the following table to complete the Create a Service form
(Keep other settings as it is) :

42
1. Click Finish to create the service.

2. Verify that the Linux Service was added.

Learning Outcomes:
1. Understand how to create and configure Linux services in Identity
Manager.
2. Learn how to manage access for Linux services and user integration.
3. Gain hands-on experience in Linux service configuration.
4. Ensure that security measures are applied to Linux services.
5. Understand the challenges of integrating Linux services into identity
management.

Viva Questions:
1. What is the role of a Linux service in identity management?
2. How do you configure a Linux service in IBM Security Identity Manager?
3. What attributes are required to create a Linux service?
4. How is access controlled for users interacting with Linux services?
5. What challenges might arise when integrating Linux services with IBM
Security Identity Manager?
43
44
 EXPERIMENT 10

MAPPED COURSE OUTCOMES - Design and implement IAM solutions using

Privileged Identity Management (PIM), Identity-as-a-Service (IDaaS), and ensure
adherence to corporate security policies.(CO5)

AIM: Creating an LDAP service in to IBM Security Identity Manager Administrative

Console.

OBJECTIVE : In this experiment, you will learn how to create and configure an LDAP
service in IBM Security Identity Manager. This will allow seamless integration between
the Identity Manager and external LDAP servers for synchronized identity management.

STEPS OF PROCEDURE :
2. Click Create.

3. Wait for the list of services to appear. Ensure that Business unit is set to JK
Enterprises.

4. Select LDAP Profile and click Next.In this exercise, you create another service. This one
manages accounts and groups on an Tech Support LDAP(IBM Security Directory Server)
system. The service communicates with LDAP(SDS) through the LDAP Profile that is
already installed in ISIM by default at installation time.

1. On the Home tab, you go to Manage Services.

2. Click Create.

3. Wait for the list of services to appear. Ensure that Business unit is set to JK
Enterprises.

4. Select LDAP Profile and click Next.

5. Create a new service of type LDAP Profile with the information in the following table:

45
Learning Outcomes:
1. Learn the steps to create and configure an LDAP service in Identity
46
 Manager.
2. Understand how LDAP services integrate with identity management
systems.
3. Gain knowledge of how to manage and troubleshoot LDAP integrations.
4. Learn how to synchronize user data between LDAP and IBM Security
Identity Manager.
5. Understand the security considerations of LDAP service creation.

Viva Questions:
1. What is the purpose of creating an LDAP service in Identity Manager?
2. How do you configure an LDAP service in the administrative console?
3. What are the key benefits of LDAP integration in identity management?
4. What challenges can occur during the LDAP service configuration?
5. How do you troubleshoot issues with the LDAP service?

47